Fix AWS SDK debug logging by making it configurable (issue #2270)#2290
Merged
yxxhero merged 3 commits intoNov 24, 2025
Merged
Conversation
912638f to
dddf315
Compare
6bac643 to
a1dd54a
Compare
11 tasks
a1dd54a to
d099d65
Compare
aditmeno
added a commit
to aditmeno/vals
that referenced
this pull request
Nov 24, 2025
This commit adds flexible AWS SDK logging configuration to vals while
changing the default to no logging for security, preventing credential
leakage.
Key changes:
1. Added Options.AWSLogLevel field for programmatic control
2. Implemented clean SetDefaultLogLevel() package-level function
3. Enhanced parseAWSLogLevel() with preset support
4. Changed default from aws.LogRetries | aws.LogRequest to 0 (no logging)
5. Added preset levels: "off", "minimal", "standard", "verbose"
6. Maintains AWS_SDK_GO_LOG_LEVEL environment variable precedence
Implementation approach:
- Uses package-level variable instead of modifying global environment
- Provides clean SetDefaultLogLevel() function for configuration
- No side effects on process-wide state
- Thread-safe initialization during vals.New()
Breaking change: Default behavior changes from logging to not logging.
Security rationale: Credentials should never leak unless explicitly
enabled for debugging.
Migration path:
- Environment variable: export AWS_SDK_GO_LOG_LEVEL=standard
- Code update: vals.New(vals.Options{AWSLogLevel: "standard"})
Related to: helmfile/helmfile#2270
Enables: helmfile/helmfile#2290
Signed-off-by: Aditya Menon <[email protected]>
d099d65 to
5fd2745
Compare
aditmeno
added a commit
to aditmeno/vals
that referenced
this pull request
Nov 24, 2025
This commit adds flexible AWS SDK logging configuration to vals while
changing the default to no logging for security, preventing credential
leakage.
Key changes:
1. Added Options.AWSLogLevel field for programmatic control
2. Implemented clean SetDefaultLogLevel() package-level function
3. Enhanced parseAWSLogLevel() with preset support
4. Changed default from aws.LogRetries | aws.LogRequest to 0 (no logging)
5. Added preset levels: "off", "minimal", "standard", "verbose"
6. Maintains AWS_SDK_GO_LOG_LEVEL environment variable precedence
Implementation approach:
- Uses package-level variable instead of modifying global environment
- Provides clean SetDefaultLogLevel() function for configuration
- No side effects on process-wide state
- Thread-safe initialization during vals.New()
Breaking change: Default behavior changes from logging to not logging.
Security rationale: Credentials should never leak unless explicitly
enabled for debugging.
Migration path:
- Environment variable: export AWS_SDK_GO_LOG_LEVEL=standard
- Code update: vals.New(vals.Options{AWSLogLevel: "standard"})
Related to: helmfile/helmfile#2270
Enables: helmfile/helmfile#2290
Signed-off-by: Aditya Menon <[email protected]>
5fd2745 to
23c2e90
Compare
aditmeno
added a commit
to aditmeno/vals
that referenced
this pull request
Nov 24, 2025
This commit adds flexible AWS SDK logging configuration to vals while
changing the default to no logging for security, preventing credential
leakage.
Key changes:
1. Added Options.AWSLogLevel field for programmatic control
2. Implemented clean SetDefaultLogLevel() package-level function
3. Enhanced parseAWSLogLevel() with preset support
4. Changed default from aws.LogRetries | aws.LogRequest to 0 (no logging)
5. Added preset levels: "off", "minimal", "standard", "verbose"
6. Maintains AWS_SDK_GO_LOG_LEVEL environment variable precedence
Implementation approach:
- Uses package-level variable instead of modifying global environment
- Provides clean SetDefaultLogLevel() function for configuration
- No side effects on process-wide state
- Thread-safe initialization during vals.New()
Breaking change: Default behavior changes from logging to not logging.
Security rationale: Credentials should never leak unless explicitly
enabled for debugging.
Migration path:
- Environment variable: export AWS_SDK_GO_LOG_LEVEL=standard
- Code update: vals.New(vals.Options{AWSLogLevel: "standard"})
Related to: helmfile/helmfile#2270
Enables: helmfile/helmfile#2290
Signed-off-by: Aditya Menon <[email protected]>
This PR fixes issue helmfile#2270 where AWS SDK debug logs expose sensitive credentials in helmfile output, by adding flexible, configurable AWS SDK logging with secure defaults. Problem: -------- Despite PR helmfile#2288's fix, AWS SDK debug logs still appeared in helmfile output, exposing sensitive information: - AWS tokens and authorization headers - Request/response bodies containing credentials - Secret metadata from vals providers Root Cause: ----------- 1. PR helmfile#2288 only suppressed vals' own logging via LogOutput: io.Discard 2. AWS SDK v2 uses separate logging (AWS_SDK_GO_LOG_LEVEL, WithClientLogMode) 3. Vals library defaulted to verbose logging (aws.LogRetries | aws.LogRequest) 4. No programmatic way to control AWS SDK logging Solution: --------- Two-part fix in conjunction with vals PR helmfile#893: 1. Vals library enhancement (helmfile/vals#893): - Added Options.AWSLogLevel field for programmatic control - Changed default from verbose to secure (no logging) - Added preset levels: off, minimal, standard, verbose - Maintains AWS_SDK_GO_LOG_LEVEL precedence 2. Helmfile changes (this PR): - Added HELMFILE_AWS_SDK_LOG_LEVEL environment variable - Enhanced vals configuration to use new AWSLogLevel field - Added conditional AWS SDK log suppression in remote.go (3 locations) - Comprehensive unit tests (15 test cases) Configuration: -------------- Preset levels via HELMFILE_AWS_SDK_LOG_LEVEL: - "off" (default) - No logging, secure, prevents credential leakage - "minimal" - Log retries only - "standard" - Log retries + requests (previous default behavior) - "verbose" - Log everything (requests, responses, bodies, signing) - Custom - Comma-separated values (e.g., "request,response") Priority order: 1. AWS_SDK_GO_LOG_LEVEL env var (highest) 2. HELMFILE_AWS_SDK_LOG_LEVEL env var 3. Secure default ("off") Testing: -------- Added comprehensive unit tests: - pkg/plugins/vals_test.go: 9 test cases * TestAWSSDKLogLevelConfiguration - all preset levels * TestEnvironmentVariableReading - env var parsing - pkg/remote/remote_test.go: 6 test cases * TestAWSSDKLogLevelInit - init() logic All tests passing: - pkg/plugins: PASS (3/3 test suites) - pkg/remote: PASS (all test suites) - golangci-lint: 0 issues Files changed: 7 files, 271 insertions(+), 31 deletions(-) Security: --------- Before: Credentials exposed by default (aws.LogRetries | aws.LogRequest) After: Credentials protected by default (no logging unless explicitly enabled) Follows security principles: - Secure by default - Principle of least privilege - Explicit opt-in for sensitive logging - Defense in depth Dependency: ----------- Depends on: helmfile/vals#893 Currently using: aditmeno/vals@a97336ce2bf6 (via go.mod replace) After vals PR merges: Update to official release Fixes: helmfile#2270 Related: helmfile#2288, helmfile#2289, helmfile/vals#893 Signed-off-by: Aditya Menon <[email protected]>
23c2e90 to
637dbdf
Compare
Contributor
Author
|
@paulbehrisch Could you verify if the helmfile built from this PR achieves the same result? |
Updated vals dependency to commit 06d7cd29 which implements clean parameter-based AWS SDK logging configuration instead of using global state mutation. Changes in vals implementation: - AWS log level passed through function parameters to each provider - No os.Setenv() - no environment mutation - No package-level global variables - No sync/atomic dependency needed - Thread-safe by design - each provider instance has its own log level This maintains the same functionality as before but with a cleaner implementation that avoids global state mutation. Signed-off-by: Aditya Menon <[email protected]>
Member
|
@aditmeno vals is ready. |
Update from vals fork (aditmeno/vals) to official release v0.42.6. Remove replace directive now that vals PR helmfile#893 has been merged upstream. This brings in the AWS SDK log level configuration improvements: - SetDefaultLogLevel() package-level function - Options.AWSLogLevel field support - Secure default (no logging) - Preset log levels (off, minimal, standard, verbose) Also updates related dependencies: - Azure SDK and auth libraries - AWS SDK config and credentials - OAuth2 library Signed-off-by: Aditya Menon <[email protected]>
Contributor
Author
|
@yxxhero PR is ready for review |
yxxhero
approved these changes
Nov 24, 2025
Copilot AI
added a commit
that referenced
this pull request
Nov 28, 2025
…iles
This fixes an issue where template expressions like {{ env "VAR" }},
{{ readFile "file" }}, or {{ fetchSecretValue "ref+..." }} in inline
values passed to sub-helmfiles were not being rendered when the parent
helmfile used a .yaml extension instead of .yaml.gotmpl.
The fix adds template rendering for inline map values in
LoadEnvironmentValues, ensuring that template expressions are
properly evaluated in the context of the parent helmfile's directory.
Fixes #2290
Co-authored-by: yxxhero <[email protected]>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
This PR properly fixes issue #2270 where AWS SDK debug logs continue to appear in helmfile output despite the fix in PR #2288.
Two-part solution: This PR works in conjunction with vals PR #893 to provide flexible, configurable AWS SDK logging with secure defaults.
This PR depends on: helmfile/vals#893
Current status:
SetDefaultLogLevel()package-level function847469e1d13bvia replace directiveAfter vals PR merge:
go get github.com/helmfile/vals@latest go mod tidy # Remove replace directive from go.modProblem Statement
As reported in PR #2288 comment, users still see AWS SDK debug logs in helmfile 1.2.1:
This exposes sensitive information including:
Root Cause Analysis
The original fix in PR #2288 added
LogOutput: io.Discardtovals.Options, but this only suppressed vals' own logging, not the AWS SDK's debug output.Why the issue persisted:
AWS SDK v2 uses a separate logging system:
AWS_SDK_GO_LOG_LEVELenvironment variableWithClientLogModeoption in AWS configLogOutputAWS SDK clients in
remote.goneeded attention:config.LoadDefaultConfig()calls had no log suppressionVals library defaulted to verbose logging:
aws.LogRetries | aws.LogRequestas defaultSolution
Two-Part Fix
Part 1: Vals Library Enhancement (PR #893)
Clean implementation without environment variable modification:
Options.AWSLogLevelfield for programmatic controlSetDefaultLogLevel()function inawsclicompatpackageparseAWSLogLevel()to check package-level variable between env var and parameteraws.LogRetries | aws.LogRequestto0(no logging)"off","minimal","standard","verbose"AWS_SDK_GO_LOG_LEVELalways wins)Key implementation details:
Part 2: Helmfile Changes (This PR)
1. Added Flexible Configuration (
pkg/envvar/const.go)Preset levels:
"off"(default) - No AWS SDK logging (secure, prevents credential leakage)"minimal"- Log retries only (minimal debugging)"standard"- Log retries + requests (previous default behavior)"verbose"- Log everything (requests, responses, bodies, signing)"request,response,signing"2. Enhanced Vals Configuration (
pkg/plugins/vals.go)3. Conditional AWS SDK Log Suppression (
pkg/remote/remote.go)Made
WithClientLogMode(0)conditional in all 3 AWS config locations:S3Getter.Get()- S3 chart downloadsS3Getter.S3FileExists()- S3 file checks (region config)S3Getter.S3FileExists()- S3 file checks (default config)4. Comprehensive Unit Tests
Added extensive test coverage to verify AWS SDK logging behavior:
pkg/plugins/vals_test.go:✅
TestAWSSDKLogLevelConfiguration- Tests all preset levels + customLogOutput = io.Discardonly when level is "off"✅
TestEnvironmentVariableReading- Tests env var parsingpkg/remote/remote_test.go:TestAWSSDKLogLevelInit- Tests init() logicTest Results:
Usage Examples
🔒 Production (Default - Secure)
🔍 Minimal Debugging (Retries Only)
📊 Standard Debugging (Previous Default)
🔬 Verbose Debugging (Full Details)
🎯 Custom Granular Control
HELMFILE_AWS_SDK_LOG_LEVEL=request,response helmfile diff # Fine-grained control over specific log components🌐 Environment Variable Priority
Configuration Priority
The logging configuration follows this priority order (highest to lowest):
AWS_SDK_GO_LOG_LEVELenvironment variable (highest priority)HELMFILE_AWS_SDK_LOG_LEVELenvironment variable →Options.AWSLogLevel→awsclicompat.SetDefaultLogLevel()"off"- no logging)This ensures:
Approach
This PR takes a two-tier approach:
Fix the root cause in vals library (PR helmfile hangs on large diff with --enable-live-output #893)
SetDefaultLogLevel()instead of modifying global environment variablesLeverage vals improvements in helmfile (this PR)
Options.AWSLogLevelfieldThis approach ensures the fix is thorough and maintainable, with secure defaults that prevent credential leakage while still allowing users to enable debugging when needed.
Security Impact
🔒 Before (helmfile ≤ 1.2.1)
aws.LogRetries | aws.LogRequest🔐 After (This PR)
0)Security principles:
Testing
All code compiles, passes linting, and comprehensive test coverage:
Unit Tests:
Test Coverage:
Files Changed
Helmfile Changes (This PR)
go.modgo.sumpkg/envvar/const.goHELMFILE_AWS_SDK_LOG_LEVELconstantpkg/plugins/vals.gopkg/plugins/vals_test.gopkg/remote/remote.gopkg/remote/remote_test.goTotal: 7 files changed, 271 insertions(+), 17 deletions(-)
Vals Changes (PR #893)
vals.goAWSLogLevelfield to Options struct, callsSetDefaultLogLevel()pkg/awsclicompat/session.godefaultLogLevelvariable andSetDefaultLogLevel()function, enhancedparseAWSLogLevel()with preset supportpkg/awsclicompat/session_test.goTotal: 3 files changed, 99 insertions(+), 24 deletions(-)
Migration Path
For Vals Dependency Update (After PR #893 Merges)
For Users Upgrading Helmfile
No action required! The default is secure (no logging).
If you need debugging:
Related Issues & PRs
Checklist
pkg/plugins,pkg/remote)golangci-lint)